Security at GrowSurf

Growsurf, Inc. is committed to data security. Here is how we protect and handle private and sensitive data:

  • Data processing: GrowSurf processes data only to fulfill its obligations as related to the Services outlined in our Terms of Service. All personal information for GrowSurf users and participants are shared to the minimal extent. Please see section HOW AND WHY WE USE YOUR PERSONAL INFORMATION on our Privacy Policy
  • Data storing (PII or otherwise) with third party vendors: Please see section PERSONAL INFORMATION WE COLLECT ABOUT USERS AND PARTICIPANTS on our Privacy Policy
  • Data sharing (PII or otherwise) with third party vendors: We only share data with the vendors listed sub-processors section on the GrowSurf GDPR Portal.
  • Data encrypted in transit: We encrypt all data over the HTTPS network protocol.
  • Data encrypted at rest: Certain sensitive information such as third-party API keys and Webhook secrets are encrypted at rest via SHA-256.
  • Data storage: Our servers are located in the states of California, Oregon, and Illinois, United States of America, unless our customer agreements specify otherwise. We utilize cloud providers like Google Cloud and Digital Ocean.
  • Data security: GrowSurf requires the use of a firewall and whitelisted IP addresses, and the use of network load balancers in order to optimize the bandwidth available per each server. We regularly monitor incoming and outgoing data using Network and Graph analytics provided by third-party tools, such as Google Cloud Platform, Digital Ocean, and DataDog. We utilize networking tools such as Cloudflare for firewall and whitelisting utilities that prevent, minimize, and alert of network attacks.
  • Backups: For data storage, we retain daily backups. Data is retained from 30-60 days, depending on the subprocessor.
  • Business Continuity Process: Our internal Business Continuity Process (BCP) outlines protocols in the event of a disruption to normal operations.
  • Disaster Recovery Process: Our internal Disaster Recovery Process (DRP) outlines protocols to restore data in the event of disasters.
  • Data dreaches: Our internal GDPR and CCPA Compliance processes cover protocols for data breaches, user policies, and more.
  • Organizational policies: Our internal IT Procedures and Security Policies cover general internal protocols, password and security/network policies for GrowSurf employees, including handling sensitive customer data.

If security compliance is a must-have for your organization, many GrowSurf self-service customers are able to require a manual opt-in checkbox for participants with a link to GrowSurf's Terms of Service and Privacy Policy in order to partake in the referral program.

Please note, we only accomodate security questionnaire requests, modified DPA requests, or any other legal/vendor requirements for customers on our annual custom plans. If you have bespoke legal and compliance needs, please get in touch with sales.